Date: Tue, 10 Feb 1998 15:47:54 -0500
Reply-To: CICS List <CICS-L@UGA.CC.UGA.EDU>
Sender: CICS List <CICS-L@UGA.CC.UGA.EDU>
From: "Baker, Steve" <Steve.Baker@FMR.COM>
Subject: Re: Submitting jobs from CICS regions
Watch out for those programs that issue an EXEC CICS SIGNOFF prior to
writing to the
TD queue. Depending on your CICS release and security package you can
get interesting results.
> -----Original Message-----
> Can anyone advise me on what controls can be implemented to control
> submission of batch jobs from a CICS region; through an internal
> reader or
> the spool interface. What I would like to prevent are jobs being
> and run with the userid of the CICS region - as these would have
> access to
> all the resources that the CICS region has.
> I know that you can use the RACF SURROGAT resource class to allow the
> region userid to submit a job that will run under another userid. But
> relies on the USER= parameter being specified on the jobcard.
> Therefore to
> implement this the controls have to be implemented at development
> time. Or
> you have to rely upon the user specifying the parameter themselves.
> What I would like is a control that works the other way around -
> to prevent the CICS region from submitting jobs to run under it's
> So, in order for their job to work the user would have to specify the
> parameter on the jobcard.
> I suppose that if the CICS region ran as a started task you could set
> up a
> SURROGAT profile that didn't permit the regions userid from submitting
> with its userid. But our CICS regions run as jobs which are started
> via a
> RDR started task so the associated userid has to be able to submit
> jobs of
> it's own. And we don't particularly want to change to using started
> So, has anybody got any suggestions?
> Thanks in anticipation.....
> James Harper Upton-by-Chester, Chester, CH2 1EB, UK